Skip to content

Commit

Permalink
Merge pull request #47 from Venafi/VEN-53638-auto-refresh-policies-ro…
Browse files Browse the repository at this point in the history 
…le-sync-first

Ven 53638 auto refresh policies role sync first
  • Loading branch information
@arykalin
arykalin committed Apr 28, 2020
2 parents 5f1dc18 + 433f7e5 commit 5b48d16
Show file tree
Hide file tree
Showing 16 changed files with 1,426 additions and 405 deletions.
12 changes: 6 additions & 6 deletions Makefile
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@ CURRENT_DIR := $(patsubst %/,%,$(dir $(realpath $(MKFILE_PATH))))

# List of tests to run
TEST ?= $$(go list ./... | grep -v /vendor/ | grep -v /e2e)
TEST_TIMEOUT?=6m
TEST_TIMEOUT?=20m
GOFMT_FILES?=$$(find . -name '*.go' |grep -v vendor)

#Plugin information
Expand Down Expand Up @@ -52,7 +52,7 @@ VAULT_CLIENT_TIMEOUT = 180s
test: linter
VAULT_ACC=1 \
go get gotest.tools/gotestsum
gotestsum --junitfile junit.xml
gotestsum --junitfile junit.xml -- -timeout $(TEST_TIMEOUT) ./...

policy_test:
go test github.com/Venafi/vault-pki-monitor-venafi/plugin/pki -run ^TestBackend_VenafiPolicy*$
Expand All @@ -70,7 +70,7 @@ unset:
#Developement server tasks
dev_server: unset
pkill vault || echo "Vault server is not running"
vault server -log-level=debug -dev -config=vault-config.hcl
vault server -log-level=debug -dev -config=vault-config.hcl

dev: dev_build mount_dev

Expand Down Expand Up @@ -117,8 +117,8 @@ import_config_write:
allowed_domains=$(IMPORT_DOMAIN) \
allow_subdomains=true \
trust_bundle_file=$(TRUST_BUNDLE) \
venafi_import_timeout=15 \
venafi_import_workers=5
import_timeout=15 \
import_workers=5

import_config_read:
vault read $(MOUNT)/roles/$(IMPORT_ROLE)
Expand Down Expand Up @@ -193,4 +193,4 @@ mount_docker:
$(VAULT_CMD) secrets enable -path=$(MOUNT) -plugin-name=$(PLUGIN_NAME) plugin

linter:
golangci-lint run
golangci-lint run
75 changes: 40 additions & 35 deletions README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -121,47 +121,66 @@ Venafi Policy limits the PKI role based on Venafi Platform policies or Venafi Cl
configured using the special *venafi-policy* path which InfoSec teams can use to require compliance from a Vault CA.

1. Write default Venafi policy configuration into *venafi-policy* path:
1. For Trust Protection Platform:
1. Make credentials variable for Trust Protection Platform:
```
vault write pki/venafi-policy/default \
tpp_url="https://tpp.venafi.example:443/vedsdk" \
export CREDS='tpp_url="https://tpp.venafi.example:443/vedsdk" \
tpp_user="local:admin" \
tpp_password="password" \
zone="DevOps\\Default" \
trust_bundle_file="/opt/venafi/bundle.pem"
zone=DevOps\\Default \
trust_bundle_file=/opt/venafi/bundle.pem'
```
2. For the Cloud:
1. Or for the Cloud:
```
vault write pki/venafi-policy/default \
apikey="xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" \
zone="zzzzzzzz-zzzz-zzzz-zzzz-zzzzzzzzzzzz"
export CREDS='api_key="xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" zone="zzzzzzzz-zzzz-zzzz-zzzz-zzzzzzzzzzzz"'
```

1. Write the configuration into vault
```
vault write pki/venafi-policy/default $CREDS
```

Following options are supported (note: this list can also be viewed from the command line using `vault path-help pki/venafi-policy/default`):

| Parameter | Type | Description | Example |
| ------------------- | ------- | ------------------------------------------------------------------------------| --------- |
|`apikey` |string | API key for Venafi Cloud. |`142231b7-cvb0-412e-886b-6aeght0bc93d`|
|`api_key` |string | API key for Venafi Cloud. |`142231b7-cvb0-412e-886b-6aeght0bc93d`|
|`ext_key_usage` |string | A comma-separated string or list of allowed extended key usages. |`ServerAuth,ClientAuth`|
|`name` |string | Name of the Venafi policy config. IS not set will be `default` |`another-policy`|
|`tpp_password` |string | Password for web API user |`password`|
|`tpp_url` |string | URL of Venafi Platform. |`https://tpp.venafi.example/vedsdk`|
|`tpp_user` |string | Web API user for Venafi Platform |`admin`|
|`trust_bundle_file` |string | Use to specify a PEM formatted file with certificates to be used as trust anchors when communicating with the remote server.|`"/full/path/to/chain.pem"`|
|`zone` |string | Name of Venafi Platform policy or Venafi Cloud Zone ID. |`testpolicy\\vault`|

<!--TODO: add scheduled update script with prod ready security example here.-->
|`auto_refresh_interval`| int | Interval of policy update from Venafi in seconds. Set it to 0 to disable automatic policy| 0|
| `import_timeout` | int | Maximum wait in seconds before re-attempting certificate import from queue | 15 |
| `import_workers` | int | Maximum number of concurrent threads to use for VCert import | 12 |
|`enforcement_roles` |string | List of roles where policy enfrcement is enabled |`tpp`|
|`defaults_roles` |string | List of roles where default values from Venafi will be set |`tpp`|
|`import_roles` |string | List of roles from where certificates will be imported to Venafi |`tpp`|
|

Policy will be downloaded from Venafi, parsed, saved under the specified path, and displayed to the user. After policy
creation, any requested certificate will be checked against it. If the request fails compliance with the policy, the
user will see error similar to that of standard PKI role checking except stating "not allowed by Venafi policy":

```
URL: PUT http://127.0.0.1:8200/v1/vault-pki-monitor-venafi/issue/domain.com
Code: 400. Errors:
* common name import-vl9kt.import.example.com not allowed by Venafi policy
```

1. Create a role with which you want to use enforcement policy
```
vault write pki/roles/test-role \
generate_lease=true ttl=1h max_ttl=1h \
allow_any_name=true
```

1. Update the policy and add created role to the defaults and enforcement lists
```
vault write pki/venafi-policy/default $CREDS defaults_roles="test-role" enforcement_roles="test-role"
```

1. The following command can be used to display the current Venafi policy:
```
vault read pki/venafi-policy/default/policy
Expand All @@ -171,23 +190,18 @@ configured using the special *venafi-policy* path which InfoSec teams can use to
```
vault read pki/venafi-policy/default
```
1. You can also use multiple Venafi policies by simply applying them to separate roles.

1. You can also use multiple Venafi policies by simply applying them to different roles.
1. Write another policy configuration:
```
vault write pki/venafi-policy/another-policy \
tpp_url="https://tpp.venafi.example:443/vedsdk" \
tpp_user="local:admin" \
tpp_password="password" \
zone="DevOps\\Another policy" \
trust_bundle_file="/opt/venafi/bundle.pem"
```
2. Then specify the policy name when configuring the role:
```
vault write pki/roles/venafi-role \
venafi_check_policy="another-policy" \
generate_lease=true ttl=1h max_ttl=1h \
allow_any_name=true
trust_bundle_file="/opt/venafi/bundle.pem" \
defaults_roles="venafi-role2" \
enforcement_roles="venafi-role2"
```

1. Venafi policy can be cleared using `delete` operation on the *venafi-policy* path (useful if you want to see the
Expand Down Expand Up @@ -225,6 +239,7 @@ configured using the special *venafi-policy* path which InfoSec teams can use to

## Quickstart: Enabling Venafi Visibility

# !! Need to rewrite this section. Visibility is on on the policy level now
1. Visibiliy is enabled at the [PKI role](https://www.vaultproject.io/docs/secrets/pki/index.html) by enabling the `venafi_import` option:
1. For the Venafi Platform:
```
Expand Down Expand Up @@ -252,18 +267,8 @@ configured using the special *venafi-policy* path which InfoSec teams can use to

The following options are supported (note: this list can also be viewed from the command line using `vault path-help pki/roles/<ROLE_NAME>`):

| Parameter | Type | Description | Default |
| ----------------------- | ------- | ------------------------------------------------------------------------------| --------- |
| `venafi_import` | bool | Controls whether certificates are forwarded to the Venafi Platform or Venafi Cloud | `true` |
| `zone` | string | Venafi Platform policy folder where certificates will be imported; for Venafi Cloud this is the endpoint that the certificates will be sent to. | |
| `tpp_url` | string | Venafi URL (e.g. "https://tpp.venafi.example:443/vedsdk") | |
| `tpp_username` | string | Venafi Platform WebSDK account username | |
| `tpp_password` | string | Venafi Platform WebSDK account password | |
| `trust_bundle_file` | string | PEM trust bundle for Venafi Platform server certificate | |
| `venafi_import_timeout` | int | Maximum wait in seconds before re-attempting certificate import from queue | 15 |
| `venafi_import_workers` | int | Maximum number of concurrent threads to use for VCert import | 12 |
| `venafi_check_policy` | string | Which Venafi policy check to use | |
| `venafi_sync_policy` | string | Policy where to get Venafi connection details for policy synchronization | |



### Import Queue
After a certificate has been signed by the Vault CA it is added to the import queue. Processing of certificates in the queue
Expand Down
5 changes: 3 additions & 2 deletions plugin/pki/backend.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -80,6 +80,7 @@ func Backend(conf *logical.BackendConfig) *backend {
pathVenafiPolicy(&b),
pathVenafiPolicyContent(&b),
pathVenafiPolicyList(&b),
pathVenafiPolicyMap(&b),
pathVenafiPolicySync(&b),
pathRevoke(&b),
pathTidy(&b),
Expand All @@ -100,8 +101,8 @@ func Backend(conf *logical.BackendConfig) *backend {
log.Println("Can't start queue when storage is nil")
} else {
b.taskStorage.init()
b.importToTPP(b.storage, conf)
b.syncWithVenafiPolicyRegister(b.storage, conf)
b.importToTPP(conf)
b.syncRoleWithVenafiPolicyRegister(conf)
}

return &b
Expand Down
Loading

0 comments on commit 5b48d16

Please sign in to comment.